IETF Logo Mail Archive

[OAUTH-WG] Re: WG Last Call: draft-ietf-oauth-rfc8725bis-02 (Ends 2025-12-15)

Michael Jones <michael_b_jones@hotmail.com> Mon, 12 January 2026 15:42 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2A34CA6789F7; Mon, 12 Jan 2026 07:42:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.222
X-Spam-Level:
X-Spam-Status: No, score=-1.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1zJMxaftory; Mon, 12 Jan 2026 07:42:58 -0800 (PST)
Received: from CH1PR05CU001.outbound.protection.outlook.com (mail-northcentralusazolkn19010022.outbound.protection.outlook.com [52.103.20.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 89608A6789F2; Mon, 12 Jan 2026 07:42:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=g+iQ3+uLiPI09tNyImgJsb+Eki7llyLbxjfuvWLH+Qa33o3uVppsOIXVd83ic0MAOLc6/lx4xfqhcYoGQ47fdnb4E2zwAXysVVtKf3PX0omiZ6siyp0BYKNRkg3gezEDv3NqyfPFNUaEulWXXoc0g6uJU0G9SOwHGnqnopID7/Pabg3eYdT9WgPrgtFmIr7C/mhtNEkqNdBp2yCdsvwiiSUyxM/XfGWFr5E9ZTngyArg34J4l/GHjKBV+QE4au/L8jb9bcT1+0LiBZQycUPI9nmlxYJ1bruxYfEiPieH7uYXGTYMIXKEuWA6VBOxLdW/K89x+keMXg2XInQ6xFLEbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=puW7YBNJa7HbdxscePF9kRbyWqeNvTTJIbEKDqmfLlQ=; b=DItXAqIBiwpH5p6zm8os0MFhMBPkP6Zi2Crjme+MrSEqh4EhwtcfV7Ia1+/S6UbLAFOy6IVQ6pIOWO4KVORVuzzHiIEetsmh8/UOpjy48hMftsT9XShL03lI+CAwem7tk56kxGHSNzJqIutszXhjoDRAd76wphzEE2VnxPiqcPhD1ZXWKI54Wwf5b8K4Y+XDmU+1rkG7HMzx/KnM0D2SDzXMMz8y0v2YMgM/52ElVgVY7ubyP9wKFyOH/kQLMmJTYo31ZDvpUzVQ76nVBJyUo+db/8vVUwbZDnSrCX+90F/qQVge8CuUDC+thbKihEgWA6YDY+uLtRd3c9Lk5gmPRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=puW7YBNJa7HbdxscePF9kRbyWqeNvTTJIbEKDqmfLlQ=; b=VO5AFg4nc+QrExCevqzNE90RcaLkwz7psEOmptsm3yQPSAu4DtpzVYxw9R8pA+toNUEHB/OAVq9aZAPHJPiXLjw2r0ZmDVUJ7/zW71GaaJBfa4GVFvBfMydvRzFv3vfPf4U57iQ7N3Yp1/NqQV6BJYlWdiOkJtbNOnX+gGE/L0mKIH9zSNbLnJZgeGVMnSthlYiOC3m+RG1a/sRztH5qXJOHLquXOxpz74GXNmUHHO5WzCj+AEgknMJjfHafqaw0jeQrOBsmLmuToaGIUKDIg++7iGZiwUNL0aZsvknpKykdWIDuyxekl8DdrACIT4Eyh8Z/qnyoSP1nDuUYkNdWZg==
Received: from MW2PR12MB2508.namprd12.prod.outlook.com (2603:10b6:907:9::23) by PH7PR12MB5781.namprd12.prod.outlook.com (2603:10b6:510:1d0::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9499.7; Mon, 12 Jan 2026 15:42:49 +0000
Received: from MW2PR12MB2508.namprd12.prod.outlook.com ([fe80::2a25:1f86:facd:ef9f]) by MW2PR12MB2508.namprd12.prod.outlook.com ([fe80::2a25:1f86:facd:ef9f%6]) with mapi id 15.20.9499.005; Mon, 12 Jan 2026 15:42:49 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>
Thread-Topic: [OAUTH-WG] Re: WG Last Call: draft-ietf-oauth-rfc8725bis-02 (Ends 2025-12-15)
Thread-Index: AQHcYtpZLsn9BOKHKUa63bgMu11hu7VO6x0w
Date: Mon, 12 Jan 2026 15:42:49 +0000
Message-ID: <MW2PR12MB25089DC897579444C9077918B781A@MW2PR12MB2508.namprd12.prod.outlook.com>
References: <LO6P123MB7352D1B9666F78E5ACB5653BA9DBA@LO6P123MB7352.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO6P123MB7352D1B9666F78E5ACB5653BA9DBA@LO6P123MB7352.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW2PR12MB2508:EE_|PH7PR12MB5781:EE_
x-ms-office365-filtering-correlation-id: 47aab6f4-50a6-4820-b1c7-08de51f13d67
x-microsoft-antispam: BCL:0;ARA:14566002|31061999003|15080799012|461199028|12050799012|13031999003|9400799043|8060799015|8062599012|13091999003|19110799012|1602099012|40105399003|53005399003|4302099013|440099028|3412199025|10035399007|76399033|102099032|19111999003;
x-microsoft-antispam-message-info: 35Ldgr1MDmxZGh78wHkV+O2dUCOTByhh1dSvuvTmoFHTjckXzuW+jKI/KFQilUGoo7L4ltwbt1XkQNypFmneMsH5yCx7SSpTyi8qpENDQmzxREYWs7rUdtyuqAkTq4UJ5adEZV7mWmc2H7Mjjj7HOC4gnjobNrTQdRNpsKdFiA2BT58HDc5JzGV+ylFAk9CBC+29R6n0k9jk4ozCupI7oHfkre8X8oYX70W+AderEEytVm2cGRRN+ys4xJp9tb88ZD7eQWoejGO7vNs6TptBSawLPlxf5EKorHjcHKsCj4i/f49TnRVLtJozJcfY0EBHtRLZ9vX9Lw5NECz1TDWnvz31g3VITs4Dz4mOQXuuVucRSk/zAsZDPKD8qPOjuej35DwC+Mf9xExd/4h3cMyTe0dNI/+D5zcSgOObkGxSH/C9Cv+dPI6D/nCExU2izsZu6vixPdENZyh+U4RLdx5rlOq040SRh/1YmXG28WoRAaYaGTOIJZQO5GWzBAmPKAwgA6Sr6eJNUTEThoOHMuA7PbNJ4NVpB8viacGyITXhXogfm0GNvp5FTL03jQVmE5PGMtAIIwXzgfgynvEFME2xR678dhPfPjG/CTLbGBkqcHaZiZdMbufOtulx+sCiEhHALGF6OfbeMbnJkeC93AQug7alDeYebv/4Eqw3va1Yfe7VJdsuMJ5k9JjLsAICcrGljrPliRBSXTjsy4wYPDtJ8hdURJm3+hSsiEi+0BYbR1hSoBZntRcnDVOgY76q9Q3lb3SUEZdf5rAQICTXeKjepYTMZ3CeR3PbtjDGOXFa2NApTGWAlB/KNczyqnsscbDrh85vDgUYw0w4Nnv+jlnUaNt4KXv2NfWIunIkJHXkYFK6PbH1Dt2/QvSWJSQxMGXcovbeJ9QDb1AdoubZBxqH3u12nysjtOY3JV29+cjtV5B3Eh9DOnQK93x37+XupGEwt6AMCMBXKBCUP5v1if00T76fF+d93SkfQ6QMKKz/qnneDbuplIyXGgiZdlxYdCBq/Vt+w9CBocvG0rrKw7aVoS4XydyzVd75YlT8JSyTg3O4S7i6uQVBRrgMxLTOu/6x/AKqoVJxp3JkNWUkfHUeGfX4XoHcVFoLbAgfPushB10URmqOWRqanctwyX/E75AxtRlyTsp8W1gCv75tpskey6urvtjCO51/4HhOVSLczL4Y7+pU6YeSNzH8Tzhp1IZZsJ2i783hiaWrf4g6++uvB8CewQk548xRePRn53SUuIQU6lsWxjdq4XJtW7md+O9dXsDHo0oVqflFaUI82MLCFPguFD+toi68V2irX6lI6SfW/tKbi+Sk1wUsn7v23utTN3hj1fRCvA6GENU1hzRatHMcgNAvV0ERG2c95kExiE2T247SCr/EFRJVo/b988KRN8bRB2XYBMQAH2Fn9dOoHYAV1ycPQT2o9Wm+ktrBok14IEDSmjRBnhlBuqnufbD5/BvhFD5KkeWy31Mv6gre5g==
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JSmO52Yq1CNZCySrPpap/SlFZjtk3qqoonHBsEZyW3uq3cy1ZptI+LRlHNuBPI9ZLIuRJsJcpC3eRvNhjBpAy43j/47ZRoTlg+QsmYftmcySVtNPk0qD8euwDJMx/OSS/fzzxi7nbvaS/vwPOtTdTQIT0asFHwR3oDyYBw51vfXCwIPyTpKCXEqlW8Bqld30Krnr529SecB2YmKPad10vIDsBUZzCmjcj9N4YbBBpcXvadkWXtkYMT4aJMLpuIzhHNBoMSM+QTrtKgxtV/JBPU0h58IWFv0ESntsMb6+iouBciF2nCAtEgtyS1onkBMg7m5nxyajEs2FJZIDx9JyOkEfJ/sfh6mdJZWDqnrphENxXbV+lEWDYqeIG95+ojKxwFnYRHBM8HZaW0qsXEGxlzUnY1lXKTQSEf2SEAiXQkIhaVzy6oGhmUAVvvZlyi0RlPaYaS4kEJNfUMHx5AMXhl5LFyYSiBBWTuk5DTOg2H3DcUhlkU6N5K9yvsV6eG8GLqtpEvWtA5PQ9uJtxf43qDy8xhjxaWntMKQ/ryy1yqIwAJg7PBp0RNnKVqRwhcdrqXmvj6TFXFUNWxXCNzwEIbKECnBl+VBe6Ixmxipsjlwv3/Yq/YcGFGNv3/CSIu8oQU628CPyG3R/L8Gm4YlgAt/eLCSKeph9I8xw1Bp3fBD++mLRYq+lKV6NxyIQtbRoONXJ4iKHnqecVq8qoKpszFp2nXtkgDB/lm/wckyzXMg9CjiAocYlDzp9kQ+tOBLyaFfTmeL65DULro6GPLi0a4j/I7nSmXyycRpcl/kKZGXd/DpaNF8OH7wnk4Hxu3SmqQTnvbQPQSmol4IdO+EiBiSV8Q9OUcQqmC0Zbwsg0zgEmbUFxd/voMLSKaUwC9NxGE7Svn+PXRa38Y35mM/lJgKFHt5nC0vV57/apLRV4LmNHmezDmdJvlFrNQHYGAfgXbnz23raUN77D2p8RopKR0ixu8G96rHULw5+5wy7/sVbeQtId/S1hdJwLUpMkSY5jVxx2giXYfd9BJg6IHtkjYupngfvmmZu/5QhC/W/Qv+1Bqfw0GvjSfTApzebeve+ihewR3Vzyx+v27RF4+FpfduKMUKgCizW7N7r4FCHlUQaeSxrIVg8zU0IBZKYY7pXTET6T3fnABvLKZqP9kzz3nYr8PyLFTKnxNHOEJ2X9gA5zVtgGQKdvPfy5AM7QwtUVwEnblQrEJZX58dnmDwqUHbtvm47/yz0YDrdnYVyOzLnqfcMfhDU3eRy7I11tC0Ve9lhp9VFKPwFEvQm+N0BQ0/esRLgy5C7ufz+B93ygg17mMFhuJj3Va7KiDZv2YqRyCw6fwjKkXgDZXGOGGkB+PQfWavhkM4Eyvh7Tg4fgeM1RkLNMGwRSZCx7UXA+x1VpThSDW73B9udiE/n0E09W8hssWQXdM4QNi05nYQtfBW8yLCM7+D9j5AuWLctZnDS
Content-Type: multipart/alternative; boundary="_000_MW2PR12MB25089DC897579444C9077918B781AMW2PR12MB2508namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-9412-4-msonline-outlook-37f1c.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW2PR12MB2508.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 47aab6f4-50a6-4820-b1c7-08de51f13d67
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2026 15:42:49.1786 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB5781
Message-ID-Hash: CRRJVO5PMJIXGQQN47BFOLHF5N7XOIMM
X-Message-ID-Hash: CRRJVO5PMJIXGQQN47BFOLHF5N7XOIMM
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: WG Last Call: draft-ietf-oauth-rfc8725bis-02 (Ends 2025-12-15)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2ebIz7ShLH7FC3XMXYfc10bBf7I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Dear OAuth Chairs and Working Group,

The editors have updated the draft in https://www.ietf.org/archive/id/draft-ietf-oauth-rfc8725bis-03.html to incorporate the last call feedback received.  Specifically, we have added a note about the compatibility problems that can be caused by retroactively retrofitting mandatory explicit typing where there was none.  And we have added an informative reference to draft-ietf-jose-deprecate-none-rsa15.

We believe that the next step is to obtain a shepherd review and then request publication.

                                                                Thanks,
                                                                -- Mike (for the editors)

From: Yaron Sheffer <yaronf.ietf@gmail.com>
Sent: Monday, December 1, 2025 7:51 AM
To: Michael Jones <michael_b_jones@hotmail.com>; Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>; draft-ietf-oauth-rfc8725bis@ietf.org; oauth-chairs@ietf.org; oauth@ietf.org
Subject: Re: [OAUTH-WG] Re: WG Last Call: draft-ietf-oauth-rfc8725bis-02 (Ends 2025-12-15)

Joining my co-author, I believe the draft is ready for publication.

Thanks,
      Yaron

On 01/12/2025, 17:35, "Michael Jones" <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>> wrote:
Unsurprisingly, as an author of the draft, having described all the new mitigations to issues that have come to light since the original JWT BCP was published as additional JWT best current practices, while retaining all of those already published in RFC 8725, I believe it is ready for publication.

                                Thanks all,
                                -- Mike

-----Original Message-----
From: Rifaat Shekh-Yusef via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>>
Sent: Monday, December 1, 2025 5:46 AM
To: draft-ietf-oauth-rfc8725bis@ietf.org<mailto:draft-ietf-oauth-rfc8725bis@ietf.org>; oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: WG Last Call: draft-ietf-oauth-rfc8725bis-02 (Ends 2025-12-15)


Subject: WG Last Call: draft-ietf-oauth-rfc8725bis-02 (Ends 2025-12-15)

This message starts a 2-week WG Last Call for this document.

Abstract:
   JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security
   tokens that contain a set of claims that can be signed and/or
   encrypted.  JWTs are being widely used and deployed as a simple
   security token format in numerous protocols and applications, both in
   the area of digital identity and in other application areas.  This
   Best Current Practices (BCP) specification updates RFC 7519 to
   provide actionable guidance leading to secure implementation and
   deployment of JWTs.

   This BCP specification furthermore replaces the existing JWT BCP
   specification RFC 8725 to provide additional actionable guidance
   covering threats and attacks that have been discovered since RFC 8725
   was published.

File can be retrieved from:
https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc8725bis/

Please review and indicate your support or objection to proceed with the publication of this document by replying to this email keeping oauth@ietf.org<mailto:oauth@ietf.org> in copy. Objections should be motivated and suggestions to resolve them are highly appreciated.

Authors, and WG participants in general, are reminded again of the Intellectual Property Rights (IPR) disclosure obligations described in BCP 79 [1]. Appropriate IPR disclosures required for full conformance with the provisions of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any. Sanctions available for application to violators of IETF IPR Policy can be found at [3].

Thank you.

[1] https://datatracker.ietf.org/doc/bcp78/
[2] https://datatracker.ietf.org/doc/bcp79/
[3] https://datatracker.ietf.org/doc/rfc6701/

v2.46.0 | Report a Bug | By Email | System Status